Re: .root zone question

webby wrote:
In our environment we have a domain with three child domains. The DNS
servers in the parent domain was setup to use a '.' root zone as it
was said that this would be more secure than using root hints from
the internet. I always thought that you should not use a '.' root
zone. Could someone clarify this and tell me why it would have been
setup that way and what best practice is? Thanks.

The reason why it is said that having a root zone is more secure than using
root hints is because the server becomes authoritative over the entire DNS
name space. It will not use a forwarder and the root hints will not load.
You will have to delegate or create zones for every domain you wish to have
access to.
You can download a delegated root zone which will have all TLD delegations
existing in that particular Root. As to the question of if a fully delegated
root zone is more secure than using Root hints depends on where you actually
get the delegated root from.
What really makes a Root zone more secure is that a root server can only
resolve names for which it holds zones for, and for domains that are
delegated. In that sense a root zone is more secure, but it also requires a
higher level of administration if any external resolution is required.

How to Delegate All Internet Top-Level Domains on an Internal Root DNS
Server: http://support.microsoft.com/default.aspx?scid=kb;en-us;294906

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Active Directory Integrated DNS
    ... one child domain created a root zone of Active Directory ... My child domains supposed to have this root zone bba.org as secondary ... The purpose of AD intergrated DNS zones is so you don't have to bother setting up Primary/Secondary servers for your zones. ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS & Forwarders
    ... > When you delete the root zone the ICANN Root server information is loaded ... pick most any DNS server (that is working at your ISP ... which is the official 'name' of the root zone. ...
    (microsoft.public.win2000.dns)
  • Re: Stub zones
    ... Currently we have an empty root with the root zone housed in it, ... Then you don't need stubs on the root (delegations take ... to the Root and replicate those to all DNS servers in the forest if we ...
    (microsoft.public.windows.server.dns)
  • Re: DNS & Forwarders
    ... What I am trying to do is enable Internet access via a DSL router. ... currently have the router IP as the Alternate DNS on my workstations which I ... Will I need to do anything with Root ... Deleting the root zone Windows creates will enable ...
    (microsoft.public.win2000.dns)
  • Re: Encrypted file system without initial password:
    ... > This was not a question about potential root exploits. ... These settings can then be password-protected in the BIOS ... >> software-based security measure would be useless. ... the system should be fairly secure. ...
    (comp.os.linux.security)